Defend Your Time: Return on Risk Mitigation with Dan Holland

Welcome back to “Defend Your Time,” the podcast dedicated to helping you get stronger security, more value, and fewer headaches out of your Microsoft security investments. Listen and subscribe through Spotify, Apple Podcasts, or wherever you get your podcasts.

In this episode we’re joined by Dan Holland, Deputy CISO at Tampa General Health System (TGH) and Sam McHugh, security strategist at Ontinue. Dan and Sam talk about communicating risk to organizational leadership, with an emphasis on adopting language around “return on risk mitigation.” 

Understanding the Role and Challenges

Dan Holland recently transitioned to the role of Deputy CISO at a large academic medical center and shares the unique challenges he faces in his new role. Tampa General Health System (TGH), a $4 billion health system with 30,000 physicians and team members across 150 locations in Florida, has experienced significant growth, both organically and through acquisitions. This rapid expansion necessitates a strong cybersecurity foundation to support and secure the business processes.

TGH’s commitment to cybersecurity was significantly heightened following a breach in 2023. Since then, the organization has tripled its investment in cybersecurity and expanded its team. Having a clear plan and strong governance have been critical to avoiding overreaction helping ensure the right investments. Dan highlights the need for continuous communication and operational efficiency to maintain the trust and support of executive leadership.

Quantifying Risk and Return on Investment

One of the key themes of the discussion is the importance of quantifying risk and demonstrating the return on investment (ROI) for security measures. Dan explains how TGH uses metrics such as security scorecards, peer benchmarking, and risk quantification methodologies to present a clear picture of the organization’s security posture. By calculating the annual loss expectancy and the return on risk mitigation, security leaders can prioritize investments and make informed decisions that align with the organization’s risk tolerance.

Dan underscores the need for security measures to enable, rather than hinder, business processes. By understanding how the organization delivers value and how information systems support these processes, security leaders can collaborate with stakeholders to implement complementary controls. This approach ensures that security measures enhance, rather than impede, the organization’s ability to deliver value.

The Role of Governance and Communication

Effective governance and communication are crucial for maintaining a strong security posture. Dan discusses the importance of having a structured decision-making process and clear documentation of risk tolerance. This helps ensure that security measures are aligned with the organization’s priorities and that executive leadership is fully informed about the risks and the steps being taken to mitigate them.

Partnering for Success

Dan also highlights the importance of partnering with trusted external experts to supplement internal resources. He emphasizes the need for clear communication and collaboration with these partners to ensure that critical processes are handled effectively. By leveraging external expertise, organizations can achieve a higher level of security without overburdening internal teams.Sam McHugh explains how Ontinue’s focus on Microsoft security customers and select industry verticals allows them to deliver a superior MXDR service. By specializing in a specific set of tools and approaches, Ontinue can provide deep expertise and tailored solutions that meet the unique needs of their clients. This focused approach ensures that Ontinue’s team is highly knowledgeable about the Microsoft security ecosystem, enabling them to offer more effective and efficient security services. Additionally, Ontinue’s use of Microsoft’s Lighthouse tool allows them to peer into clients’ environments without taking control of their data, ensuring transparency and trust in their partnerships.